www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on

Browse Source 
SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1564760 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2014-02-05 13:02:35 +00:00
parent 304da56908
commit 1f3cc513a0
1 changed files with 34 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
modules/ssl/ssl_engine_init.c
View File

@@ -979,7 +979,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
/* warn about potential cert issues */ /* warn about potential cert issues */
ssl_check_public_cert(s, ptemp, cert, key_id); ssl_check_public_cert(s, ptemp, cert, key_id);
#ifdef HAVE_OCSP_STAPLING #if defined(HAVE_OCSP_STAPLING) && !defined(SSL_CTRL_SET_CURRENT_CERT)
/*
* OpenSSL up to 1.0.1: configure stapling as we go. In 1.0.2
* and later, there's SSL_CTX_set_current_cert, which allows
* iterating over all certs in an SSL_CTX (including those possibly
* loaded via SSLOpenSSLConfCmd Certificate), so for 1.0.2 and
* later, we defer to the code in ssl_init_server_ctx.
*/
if ((mctx->stapling_enabled == TRUE) && if ((mctx->stapling_enabled == TRUE) &&
!ssl_stapling_init_cert(s, mctx, cert)) { !ssl_stapling_init_cert(s, mctx, cert)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
@@ -1305,23 +1312,6 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
"\"SSLOpenSSLConfCmd %s %s\" applied to %s", "\"SSLOpenSSLConfCmd %s %s\" applied to %s",
param->name, param->value, sc->vhost_id); param->name, param->value, sc->vhost_id);
} }
#ifdef HAVE_OCSP_STAPLING
/*
* Special case: if OCSP stapling is enabled, and a certificate
* has been loaded via "SSLOpenSSLConfCmd Certificate ...", then
* we also need to call ssl_stapling_init_cert here.
*/
if ((sc->server->stapling_enabled == TRUE) &&
!strcasecmp(param->name, "Certificate")) {
X509 *cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
if (!cert || !ssl_stapling_init_cert(s, sc->server, cert)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02571)
"Unable to configure certificate loaded "
"from %s for %s for stapling",
param->value, sc->vhost_id);
}
}
#endif
} }
if (SSL_CONF_CTX_finish(cctx) == 0) { if (SSL_CONF_CTX_finish(cctx) == 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547) ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
@@ -1341,6 +1331,32 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
return ssl_die(s); return ssl_die(s);
} }
#if defined(HAVE_OCSP_STAPLING) && defined(SSL_CTRL_SET_CURRENT_CERT)
/*
* OpenSSL 1.0.2 and later allows iterating over all SSL_CTX certs
* by means of SSL_CTX_set_current_cert. Enabling stapling at this
* (late) point makes sure that we catch both certificates loaded
* via SSLCertificateFile and SSLOpenSSLConfCmd Certificate.
*/
if (sc->server->stapling_enabled == TRUE) {
X509 *cert;
int i = 0;
int ret = SSL_CTX_set_current_cert(sc->server->ssl_ctx,
SSL_CERT_SET_FIRST);
while (ret) {
cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
if (!cert || !ssl_stapling_init_cert(s, sc->server, cert)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO()
"Unable to configure certificate %s:%d "
"for stapling", sc->vhost_id, i);
}
ret = SSL_CTX_set_current_cert(sc->server->ssl_ctx,
SSL_CERT_SET_NEXT);
i++;
}
}
#endif
#ifdef HAVE_TLS_SESSION_TICKETS #ifdef HAVE_TLS_SESSION_TICKETS
if ((rv = ssl_init_ticket_key(s, p, ptemp, sc->server)) != APR_SUCCESS) { if ((rv = ssl_init_ticket_key(s, p, ptemp, sc->server)) != APR_SUCCESS) {
return rv; return rv;